RELATED ARTICLES

Share this article

The popular blogging website Tumblr, which is owned by Yahoo!, urged its users to change all their passwords, especially those protecting sensitive data like email and bank accounts, immediately.

Internet security companies have painted a doomsday scenario of customer web accounts being hijacked by criminals or even government spies.

Global web giants were given advanced warning of the need to improve security, which allowed them to make sure their sites safe.

Hacked? Internet security companies had warned of accounts being hacked by criminals or government spies and despite Google's assurances to the contrary, it appears many millions of Android users are vulnerable

However, millions of other firms have not had the time – or expertise - to ensure their sites are protected, leaving consumers in the dark about whether they are safe to use.

These firms will have no choice but to bring in outside security consultants at great expense to protect their websites and customers.

The Heartbleed bug bypasses the encryption – called OpenSSL - that normally protects data as it is sent between computers and servers, leaving personal and sensitive data vulnerable.

The problem has existed for at least two years, however details were only made public this week by Google and a small company from Finland, called Codenomicon.

The fact the loophole has existed for so long is a huge blow to the credibility of websites and consumer trust in the internet.

However, there is no evidence to date that any malicious hackers have taken advantage of it to grab information.

In a blog post, Google said it has applied a security patch to defeat the flaw on its search engine, Gmail, YouTube, Wallet and Play store for mobile apps and other digital content.

A spokesman said: ‘It’s good practice to use strong passwords that are unique to each of your accounts, but we don’t think our users need to change their Google Account passwords because of this bug.’

Amazon said simply: ‘Amazon.com is not affected.’

Facebook, along with a number of big name websites, was given advance warning that details of the security flaw were about to be made public.

It appears its systems have been vulnerable for some time, however it has also now installed a security patch.

A spokesman said: ‘We added protections for Facebook’s implementations of OpenSSL before this issue was publicly disclosed, and we haven’t detected any signs of suspicious activity on people’s accounts.

'We’re continuing to monitor the situation closely.’

The banks also tried to reassure customers. The British Bankers Association said: ‘If customers are worried about the security of their online account they should contact their bank to discuss those concerns directly.

‘If they are proven to have been the victim of a fraudulent online transaction then their bank will make sure they are granted a full refund of any money that has been stolen.’

By contrast, the British Retail Consortium was unable to offer any comment on the safety of online stores.

Paypal, which is part of eBay, and responsible for handling millions of electronic payments every day insisted its system remains secure.

Its chief technical officer, John Barrese, issued a statement saying customer account details were not exposed and there is no need for people to change their password.

However, the problem is not resolved by simply improving site security.

Experts at the American security and training company, the SANS Institute, suggested that the software that runs smartphones, tablets and laptops could have the same flaw.

Spokesman Jake Williams said a malicious server could easily send a message to vulnerable software on phones, laptops, PCs, home routers and other devices, and retrieve a 64KB block of sensitive data from the targeted system.

That would gather keystrokes which could, in theory, provide log-in and password details for internet banks and other sites.

Mr Williams criticised companies with websites that are vulnerable to the Heartbeat bug for failing to admit the problem to consumers. ‘Too many vendors not communicating with their customers,’ he said.

He suggested it could take the industry until 2020 and beyond to eliminate the problem.